The OpenVPN client seems to ignore the "--auth-retry interact" option provided for connecting to VPNs with one-time-password/multi-factor-auth (OTP/MFA aka 2FA). Instead of respecting the challenge-response from the server and prompting for a OTP, the OpenVPN client reverts to asking for the Username/Password again.
I confirm the behavior described at https://superuser.com/questions/1531704/failed-to-authenticate-w-google-authenticator-when-configuring-openvpn-client-o?newreg=e7bc584ec68c4d1b97631a8daad01cce.
In my case, this is happening with DUO 2FA, not Google Authenticator. It doesn't matter what MFA provider we're talking about, the problem seems to be the OpenVPN client ignoring the Challenge-Response from the VPN server.
I think either: OPKG needs to be re-compiled for OPKG to support "--auth-retry interact" Challenge-Response with a compile-flag; or a separate OpenVPN Plugin needs to be built for OPKG.
I'd test these assertions myself but I'm at the bottom of the OpenWRT cross-compile ecosystem so it would save alot of time for somebody who already builds OpenVPN for OPKG to chime in on this.